CSU Windows Group – Securing Windows Server Tasks



CSU Windows Security Group – Securing Windows Server Tasks

Draft 6 – May 20, 2005

This is a draft prepared by the campus Windows Security Group, which is a sub group of the campus Windows group. It is a cut and paste of separate documents so the formatting is not yet consistent. It is intended to give an overview of the direction the group is taking and to solicit feedback. The intent of this document is to outline basic security steps that the average IT administrator can quickly take to increase the security of their Windows servers. The Windows Security Group plans to host brown bag training sessions throughout Spring 2005 to help administrators master the skills needed to implement these recommendations.

Windows Security Tasks

I. Auditing

II. Physical Security

III. Setup and Patching

IV. Account Management*

V. Restrict Anonymous Access & NTLM Authentication

* One item under Account Management, strong passwords, is now a mandatory requirement under CSU’s Campus IT Security Policy.

I. Auditing

If no auditing is configured, it will be difficult or impossible to determine what took place during a security incident. However, if auditing is configured so that too many authorized activities generate events, the security event log will fill up with useless data. Audit events A-E below typically do not generate large amounts of logs and should be set as recommended by all IT administrators. Audit events F-I will generate large amounts of information and will often fill up the logs, therefore it is recommended that these only be set when detailed logging is required (i.e., under attack, etc.)

The following values can be configured in the Domain Group Policy section of Windows Server 2000/2003 at the following location:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

A. Audit login = Success, Failure (Recommended settings)

The Audit account logon events setting determines whether to audit each instance of a user logging on to or off another computer that validates the account. Authenticating a domain user account on a domain controller generates an account logon event. The event is logged in the domain controller's security log. Authenticating a local user on a local computer generates a logon event. The event is logged in the local security log. There are no Account logoff events logged.

Can be implemented with GPO’s: YES

B. Audit account management = Success, Failure (Recommended settings)

The Audit account management setting determines whether to audit each account management event on a computer. Examples of account management events include:

• A user account or group is created, changed, or deleted.

• A user account is renamed, disabled, or enabled.

• A password is set or changed.

Organizations need to be able to determine who has created, modified, or deleted both domain and local accounts. Unauthorized changes could indicate mistaken changes made by an administrator who does not understand how to follow corporate policies or a deliberate attack.

Can be implemented with GPO’s: YES

C. Audit logon events = Success, Failure (Recommended settings)

The Audit logon events setting determine whether to audit each instance of a user logging on to or off of a computer. Records are generated from the Account logon events setting on domain controllers to monitor domain account activity and on local computers to monitor local account activity.

Configuring the Audit logon events setting to No auditing makes it difficult or impossible to determine which user has either logged on or attempted to log on to computers in the enterprise. Enabling the Success value for the Auditing logon events setting on a domain member will generate an event each time that someone logs on to the system regardless of where the accounts reside on the system. If the user logs on to

a local account, and the Audit account logon events setting is Enabled, the user logon will generate two events. There will be no audit record evidence available for analysis after a security incident takes place if the values for this setting are not configured to Success and Failure.

Can be implemented with GPO’s: YES

D. Audit policy change = Failure (Recommended settings)

The Audit policy change setting determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies. This includes making changes to the audit policy itself.

Configuring this setting to Success generates an audit entry for each successful change to user rights assignment policies, audit policies, or trust policies. Configuring this setting to Failure generates an audit entry for each failed change to user rights assignment policies, audit policies, or trust policies.

Can be implemented with GPO’s: YES

E. Audit system events = Success, Failure (Recommended settings)

The Audit system events setting determines whether to audit when a user restarts or shuts down a computer or when an event occurs that affects either the system security or the security log. Configuring this setting to Success generates an audit entry when a system event is executed successfully.

Can be implemented with GPO’s: YES

These recommendations marked with an * identify those settings that will generate a significant amount of log entries.

Audit events F-I will generate large amounts of information and will often fill up the logs, therefore it is recommended that these only be set when detailed logging is required (i.e., under attack, etc.).

F. Audit directory service access = Failure* (Recommended settings)

The Audit directory service access setting determines whether to audit the event of a user accessing a Microsoft Active Directory service object that has its own system access control list (SACL) specified. Setting Audit directory service access to No Auditing makes it difficult or impossible to determine what Active Directory objects may have been compromised during a security incident. There will be no audit record

evidence available for analysis after a security incident if the values for this setting are not set to Success and Failure.

Can be implemented with GPO’s: YES

G. Audit object access = Failure* (Recommended settings)

By itself, this setting will not cause any events to be audited. The Audit object access setting determines whether to audit the event of a user accessing an object — for example, a file, folder, registry key, printer, and so forth — that has a specified SACL.

A SACL is comprised of access control entries (ACEs). Each ACE contains three pieces

• The security principal (user, computer, or group) to be audited.

• The specific access type to be audited, called an access mask.

• A flag to indicate whether to audit failed access events, successful access events,

Configuring this setting to Success generates an audit entry each time that a user successfully accesses an object with a specified SACL. Configuring this setting to Failure generates an audit entry each time that a user unsuccessfully attempts to access an object with a specified SACL.

Corporations should define only the actions they want enabled when configuring SACLs. For example, you might want to enable the Write and Append Data auditing setting on executable files to track the replacement or changes to those files, which computer viruses, worms, and Trojan horses will commonly cause. Similarly, you might want to track changes to or even the reading of sensitive documents.

Can be implemented with GPO’s: YES

H. Audit privilege use = Failure* (Recommended settings)

The Audit privilege use setting determines whether to audit each instance of a user exercising a user right. Configuring this value to Success generates an audit entry each time that a user right is exercised successfully. Configuring this value to Failure generates an audit entry each time that a user right is exercised unsuccessfully.

Can be implemented with GPO’s: YES

I. Audit process tracking = No auditing* (Recommended settings)

The Audit process tracking setting determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. Configuring this setting to Success generates an audit entry each time the process being tracked succeeds. Configuring this setting to Failure generates an audit entry each time the process being tracked fails.

Enabling Audit process tracking will generate a large number of events, so typically it is set to No Auditing. However, these settings can provide a great benefit during an incident response from the detailed log of the processes started and the time when they were launched.

Can be implemented with GPO’s: YES

J. Maximum application log size = 16384 kilobytes

Restrict guest access to application log = enabled

Retention method for application log = As Needed

K. Maximum security log size = 81920 kilobytes

Restrict guest access to security log = enabled

Retention method for security log = As Needed

L. Maximum system log size = 16384 kilobytes

Restrict guest access to system log = enabled

Retention method for system log = As Needed

The log size is a Microsoft recommendation; this value can certainly be changed. The retention method is set to overwrite events as needed. This will keep the logs from filling up and displaying error messages on servers.

Can be implemented with GPO’s: YES

II. Physical Security

Per CSU’s IT Security Policy General IT Security Policies and Guidelines, “servers shall be housed in a physically secure facility where access is limited to only those individuals requiring access to perform routine or emergency maintenance on the system.”

III. Setup and Patching

Following these guidelines will allow you to build and maintain a Windows server that is relatively secure. Windows 2003 server should be installed unless there is a compatibility issue. In place upgrades are discouraged. We recommend adding BIOS password protection and turning off unnecessary ports such as USB, serial, and parallel unless needed. We also recommend that the boot order be modified on Domain Controllers to boot from the operating system volume first and disable booting from PXE and USB.

A. Automate the install process to ensure consistent, complete security. – Create a process document to outline the installation process to insure consistency of server builds. Use Ghost or other imaging techniques, if possible, to have a consistent build process.

Can be implemented with GPO’s: NO

B. Format all partitions as NTFS volumes. – Security is better on an NTFS volume than a FAT volume. Recommended boot drive size is 15-20 GB.

Can be implemented with GPO’s: NO

C. Install operating system while the server is disconnected from the network. – Obtain a CD with the latest operating system version and service packs from Software Cellar. This will mean less patching after the initial install.

Can be implemented with GPO’s: NO

D. Only install TCP/IP for the network transport. – This follows with only installing necessary services.

Can be implemented with GPO’s: NO

E. Do not install SMTP unless necessary. - This follows with only installing necessary services.

Can be implemented with GPO’s: NO

F. Do not install IIS on Domain Controllers. – We recommend that you do not install IIS on anything that isn’t a web server. This follows with only installing necessary services.

Can be implemented with GPO’s: YES

G. Only enable required services. – See Appendix A “Windows 2003 Server Baseline Services Settings” for a list of services and how Microsoft recommends they should be set for baseline servers. You should test any changes in your environment to be sure they work for you.

• Save a list of original Service States – you can export an existing state of the services list before making changes. Use this list as a reference to get back your original configuration in the event of a conflict. Right-Click on Services in the MMC and chose Export List.

Can be implemented with GPO’s: YES

The following is a list of additional services which may need to be enabled for various server roles beyond the baseline table in Appendix A. Services can be managed with GPOs with an appropriate OU structure. For example, an Exchange server placed in its own OU can then have Exchange-specific GPOs applied.

Citrix

Terminal Services Licensing

DHCP Server

DHCP Server

Exchange

HTTP SSL

IIS Admin Service

Microsoft POP3 Service

Network News Transfer Protocol (NNTP)

Simple Mail Transport Protocol (SMTP)

World Wide Web Publishing Service

Internet Authentication Server

Internet Authentication Service

Internet Information Server (IIS)

ASP .NET State Service

Distributed Transaction Coordinator

FTP Publishing Service

HTTP SSL

IIS Admin Service

Indexing Service

Simple Mail Transport Protocol (SMTP)

World Wide Web Publishing Service

Remote Installation Server (RIS)

Single Instance Storage Groveler

Trivial FTP Daemon

SQL

Distributed Transaction Coordinator

MSSQLServer

MSSQLServerADHelper

SQLSERVERAGENT

OTHER

Many 3rd party applications require additional services such as Dell OpenManage, Symantec System Center, Symantec Ghost, Webroot SpySweeper, etc.

H. Run anti-virus on all servers. – We recommend this unless you have a known conflict. Test the anti-virus software thoroughly before putting the server into a production environment.

Can be implemented with GPO’s: NO

I. Apply all current service packs and hot fixes and keep up to date. – Connect the server to a firewall before trying to download service packs and hotfixes. This will protect your server from being compromised while obtaining the critical updates. Installing from the most current version of Windows media will cut down on the number of critical updates you will need to download.

Can be implemented with GPO’s: NO

J. Automate and audit service pack and hot fix levels. – We recommend that you subscribe to Microsoft security bulletins and other popular IT security bulletins. Test service packs and critical updates prior to deploying in a production environment. Hotfixes have a high priority and should be applied no later than when ACNS releases them to their Security Update Server (SUS). Consider building your own SUS server or use the ACNS SUS server for automated critical hotfix updates. Do not lag behind the ACNS SUS server. ACNS maintains a listserv for SUS administrators. To join the list go to: and select the SUSADMINS list.

Can be implemented with GPO’s: NO

K. Prevent local guests from accessing application and system logs. – Local guest accounts should not have access to the application and system logs.

Can be implemented with GPO’s: YES

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Event log: Application log SDDL

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Event log: System log SDDL

L. Prevent local guests from accessing security logs. – Local guest accounts should not have access to the security log.

Can be implemented with GPO’s: YES

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignments\Manage auditing and security log

IV. Account Management

A. Limit the Number of Local Administrator Accounts

There should be no more than two (2) local administrator account on Windows servers. There should no more than two (2) local administrator accounts on Windows workstations (i.e., Windows XP). Minimize the number of user accounts that are members of the Local Administrators Group and Domain Admins Group.

WHY: If an administrative account is compromised, this can help reduce the spread and severity of unauthorized access.

Can be implemented with GPO’s: NO

(In a tightly restricted homogenous lab environment there are ‘Restricted Groups’ GPO settings that can control local group membership.)

B. Enforce the “Least Privilege” Principle

Under the “least privilege” principle a user is granted the lowest level of local permissions needed to perform their job. Most standard software runs fine for accounts set as “User”. For those programs that do not run correctly with a User account, administrators can use applications such as Filemon and Regmon to help identify which specific files and registry keys need permissions adjusted. These utilities are available for free from . It is likely that other people on campus have already determined the necessary permissions changes for common applications; send an inquiry to the subnet managers’ listserv (subnet-managers@yuma.colostate.edu)

WHY: Users can perform the majority of their daily tasks without requiring elevated privileges. These measures can reduce the amount of installed spyware and rogue applications.

Can be implemented with GPO’s: NO

C. Use Separate Administrative and User Accounts for Administrative Users

Viruses and spyware can do far greater damage to a computer and network resources if it occurs when an administrative user is logged in. Network administrators should log onto workstations with a User account for non-administrative daily activity. When an administrative task must be performed, use the “Run As” feature or Remote Desktop Connection. Administrators should not use the same password for both the administrative account and the user account.

WHY: These measures can help minimize potential damage caused by malware, carelessness and mistakes.

Can be implemented with GPO’s: NO

D. Rename the Default Local Accounts and Create Decoy Accounts

Renaming the local Administrator and Guest accounts may help prevent common attacks on Windows systems.

1. Right-Click on the default local Administrator account and select “Rename”. Give the account a name that can be remembered and tracked when reviewing login attempts in the log files.

2. Right-Click, Properties on the renamed local Administrator account and cut the Description field text. Type in an innocuous description, something that doesn’t imply administrative permissions.

3. Create a new account named Administrator (use a capital ‘A’).

4. Paste the description from the original Administrator account into the Description field of this new Administrator account.

5. Go back into the Properties of the Decoy Administrator account and clear out the Full Name field.

6. Create a strong and complex password for both the renamed Administrator account and the decoy Administrator account. Change this password periodically!

7. Do not add the decoy Administrator account to the local Administrators group. Instead, remove the decoy Administrator account from all groups on the Member Of tab.

8. Repeats steps 1-6 above for the default Guest account (making name changes where appropriate). Be sure to disable the renamed Guest account.

9. Prevent local guests group from accessing logs!

WHY: Default accounts are often targets for attack, these measures can help thwart common attacks.

Can be implemented with GPO’s: YES (only the Rename portion)

Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options

Computer Configuration / Windows Settings / Security Settings / Event Log

E. Use Strong Password Complexity

Under the mandatory section of CSU’s Campus IT Security Policy item 5 states “Strong passwords shall be implemented on all systems.”

1. General System Passwords

a. Passwords for general systems shall be at least eight (8) characters in length. Passwords for server administrative access on Windows operating systems shall be a minimum of 15 characters.

b. Passwords shall not be derived from a user’s name or login ID.

c. Passwords shall not be derived from system-specific information such as hostname, aliases or entries in users’ files.

d. Commonly used words or words appearing in either English or foreign language dictionaries shall not be used.

2. In addition, passwords should follow a minimum rule set for complexity. One such set of rules for password complexity that should be considered (there are others) is that passwords shall conform to at least three (3) of the following conditions:

a. Contain one or more upper case characters

b. Contain one or more lower case characters

c. Contain one or more numerals (0, 1, 2… 9)

d. Contain one or more special characters (non-alphabetic and non-numeric e.g., punctuation symbols or any of #, $, %, ^, &, *)

Finally, use of the same administrative or “root” password across administrative boundaries is prohibited. For example, system administrators should select an administrative password for configuring network hardware in their area, another password for administering their Windows servers, and yet another unique root password for UNIX servers. Separate and distinct passwords shall also be used for units managing more than one Windows domain.

Note: If you plan to eliminate the local storage of LM hashes, (as described in V. section J), your users will need to change their passwords. You may want to coordinate your password complexity implementation with the elimination of the storage of LM hashes so that your users will only have to change their passwords once.

WHY: Complex and longer passwords are harder to crack.

Can be implemented with GPO’s: YES (must be set in Default Domain Policy)

Computer Configuration / Windows Settings / Security Settings / Account Policies / Password Policy

F. User Password Management

Microsoft Windows provides several parameters for controlling user passwords.

Password Policy (must be set at the Domain level)

• History – Windows can keep track of previous passwords used and prevent a user from using the same password repeatedly.

• Ageing – users can be required to change passwords after a specified number of days.

• Length – users can be required to use passwords that have a minimum number of characters.

• Complexity – see Section E.

Accounts Lockout Policy – user accounts can be locked for a certain amount of time after a specified number of unsuccessful logon attempts.

Note: If you configure an Account Lockout Policy, a network-based Denial of Service attack can potentially cause a lockout on many or all of your accounts.

• Account lockout duration: 30 minutes

(Determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked.)

• Account lockout threshold: 10 invalid logon attempts

(Determines the number of failed logon attempts that causes a user account to be locked out

• Reset account lockout counter after (Observation Window): 30 minutes

(Determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts.)

WHY: Enforcing various parameters of passwords can help strengthen security (i.e., preventing blank passwords, enforcing complex passwords). Enforcing lockout policies can help thwart brute force hack attempts.

Can be implemented with GPO’s: YES

Computer Configuration / Windows Settings / Security Settings / Account Policies / Account Lockout Policy

G. Disable Terminated Employee Accounts

Employees who have left the university should have their access to network resources disabled immediately. Consider network accounts, email accounts, eID, etc. Each department should devise a procedure that notifies IT administrators that an employee has been terminated.

WHY: Terminated employees should not have access to CSU systems; disabling accounts can help prevent unauthorized access.

Can be implemented with GPO’s: NO

V. Restrict Anonymous Access & NTLM Authentication

A. Restrict Anonymous on Windows XP and 2003 Systems

There are multiple places to configure anonymous access on XP and 2003 systems.

Note: These settings will break connectivity with Windows NT 4 systems. Per CSU’s Campus IT Security Policy, “Only operating systems that are secure according to current best practices and require strong authentication shall be used. In particular, only Windows 2000 or later Windows operating systems shall be used.”

Note: Microsoft Outlook clients older than the 2003 version that are doing a MAPI connection to an Exchange server require anonymous access to global catalogue servers. If you have these clients in your environment then you should not turn on “restrict anonymous” on your global catalog servers.

1.) Restrict Anonymous

Registry Settings:

Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

Value Name: RestrictAnonymous

Data Type: REG_DWORD

Valid Range:0,1

Preferred: 1

Default: 0

Description:

0 - None. Rely on default permissions

1 - Do not allow enumeration of SAM accounts and names

GPO/Security Policy Settings:

Location:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ Network: Do not allow anonymous enumeration of SAM accounts and shares.

Preferred Setting: Enabled

B. Restrict Anonymous SAM

Microsoft states that this setting has no effect on DCs. This setting is not entirely clear at this point but it may be used in conjunction with RestrictAnonymous on XP boxes to give the equivalent of RestrictAnonymous Level 2 on Windows 2000 machines. Further research is required.

Registry Settings:

Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

Value Name: RestrictAnonymousSAM

Data Type: REG_DWORD

Valid Range: 0,1

Preferred: 1

Default: 0

Description:

0 - None. Rely on default permissions

1 - No access without explicit anonymous permissions

GPO/Security Policy Settings:

Location:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ Network: Do not allow anonymous enumeration of SAM accounts

Preferred Setting: Enabled

Can be implemented with GPO’s: YES

C. Restrict Anonymous SID/Name translation

This setting determines whether an anonymous user can request Security Identification Number (SID) attributes for another user.

Registry Settings:

N/A

GPO/Security Policy Settings:

Location:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ Network: Allow anonymous SID/Name translation.

Preferred Setting: Disabled

Can be implemented with GPO’s: YES

D. Let Everyone permissions apply to anonymous users

This is already disabled in Windows 2003 by default but is not defined in Windows 2000.

Registry Settings:

Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

Value Name: everyoneincludesanonymous

Data Type: REG_DWORD

Valid Range: 0,1

Preferred: 0

Default: 0

Description:

0 - None. Rely on default permissions

1 - No access without explicit anonymous permissions

GPO/Security Policy Settings:

Location:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ Network access: Let Everyone permissions apply to anonymous users

Preferred Setting: Disabled

Can be implemented with GPO’s: YES

E. Restrict Anonymous on Windows 2000 Systems

Microsoft states that setting this option to level 2 should only be done in a purely Windows 2000 environment.

Q 246261: How to Use the RestrictAnonymous Registry Value in Windows 2000

()

Note: Exchange 2000 will not function correctly with restrict anonymous set to level 2.

Registry Settings:

Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

Value Name: RestrictAnonymous

Data Type: REG_DWORD

Valid Range: 0-2

Preferred: 2

Default: 0

Description:

0 - None. Rely on default permissions

1 - Do not allow enumeration of SAM accounts and names

2 - No access without explicit anonymous permissions

GPO/Security Policy Settings:

Location:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Additional restrictions for anonymous connections

Preferred Setting:

No access without explicit anonymous permissions

Can be implemented with GPO’s: YES

F. Restrict Anonymous on Windows NT 4.0 Systems

Microsoft notes that this setting prevents the provided tools from enumerating users and shares, there are other API calls that support anonymous individual user lookup. This may mean that some hacking utilities can still enumerate user lists on Windows NT 4.0 anonymously with this setting in place.

Q143474: Restricting information available to anonymous logon users

()

Registry Settings:

Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

Value Name: RestrictAnonymous

Data Type: REG_DWORD

Valid Range: 0-1

Preferred: 1

Default: 0

Description:

0 - None. Rely on default permissions

1 - Do not allow enumeration of SAM accounts and names

Can be implemented with GPO’s: NO

G. Implementing NTLM Authentication Security Settings

Restricting which LANMAN encryption method your network uses can be a difficult and potentially disruptive exercise. The best way to minimize impact to network users is to plan and proceed carefully and slowly. The process begins with determining what operating systems and applications you have in your network. Once you have identified the various configurations, you then test the settings you wish to use in a non-production environment to see if it is possible and what steps you may need to make it so. Finally, determine what order of implementation will minimize impact on your network users. This may mean installing additional drivers on legacy systems to allow them to use higher encryption standards and preparing other resources to allow alternatives to services that may no longer be available under the higher encryption standards. You may determine that it is not currently feasible to move to NTLMv2 only. In that case, you should at least prohibit the use of LM which is by far the weakest encryption method.

Once LM compatibility is set, it is relatively easy to set LM hash storage settings with minimal impact on the network. Password complexity rules can be implemented at any time but you may want to wait until LM hash storage is disabled. The last calculated LM hash stays on the system until the next password change so, it makes sense to implement password complexity last then force a password change afterward. You may feel that you can not wait for the length of time necessary for the LM compatibility implementation process before requiring strong passwords however.

Step 1. Inventory your network

Determine how many different operating systems are on your network. Windows 2000 and XP are ready for NTLMv2 out of the box but Win9x/ME and WinNT 4.0 are not. Also, new versions of Mac operating systems (X and higher?) support NTLMv2 but older versions require a little help. Also, note any software that uses or provides resources over the network. If a program provides an interface remotely or gathers remote data or uses any other remote resources, it may be impacted by a change in NTLM authentication.

Step 2. Testing

Once you have a list of all the legacy operating systems and network applications on your network, you should test any that you are uncertain of their behavior. Windows 2000 and XP work fine with NTLMv2, Windows 9X/ME and NT4.0 require the Directory Services Client from Microsoft to operate properly. Since this behavior is known, you may not need to test this ahead of time. Any Mac OS prior to X will probably require the latest Microsoft User Authentication Module (UAM) installed. We are not aware exactly which versions started natively supporting NTLMv2 so, when in doubt, test ahead of time. This could be done by setting a test box to use NTLMv2 only (refuse LM and NTLM), sharing out a directory and attempting to connect to it with the Mac.

All critical applications should be tested in a non-production environment before implementing the change on your network. A typical test environment would include a DC (using the same OS as your production network), a client system and one or more server systems running the software in question. In networks with mixed DS operating systems, you should either use the “lowest” level OS or match your production environment by running multiple DS’s in the test network. See “Application Compatibility” for more information on applications and situations to watch out for.

Step 3. Workstation Implementation

Once testing is done, start implementing LM Compatibility settings with the workstations in your domain. First, install any additional software necessary for the OS to use NTLMv2.

Directory Services Client (NT4.0 and Win9X/ME)



Microsoft User Authentication Module (Mac)



Take any steps necessary to allow other applications to run using NTLMv2 as discovered in your testing. We did not encounter anything that required special settings on workstations in our implementation. Also, keep in mind that any workstation that shares out resources (file or printer shares for example) needs to be set to NTLMv2 after (or at the same time as) other machines that use those resources.

LM Compatibility settings can be implemented via registry changes, the “local security settings” console (Win2k and up) or Group Policy Objects (Win2k and up). GPO’s offer the greatest ease of implementation and management. Instead of making this change in the “Default Domain Policy”, you should create an Organizational Unit structure to isolate workstation accounts from other machine accounts that you do not want to set NTLMv2 on right away and create an authentication security policy for them. You have to use registry settings on legacy operating systems (Win9x/ME, WinNT4.0).

H. NTLMv2 on Windows NT4.0, XP, 2000 and 2003 Systems:

Note: If you use the Symantec Ghost drive mapping boot disk option, it uses LM authentication and it does not support NTLM authentication.

Note: If you use University Relations RamCopy Xerox printers with network scanning, this feature uses LM authentication and it does not support NTLM authentication.

GPO/Security Policy Settings:

Windows 2003, XP:

Location:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: LAN Manager Authentication Level

Preferred Setting:

Send NTLMv2 response only\refuse LM & NTLM

Windows 2000:

Location:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\LAN Manager Authentication Level

Preferred Setting:

Send NTLMv2 response only\refuse LM & NTLM

Registry Settings:

Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

Value: LMCompatibilityLevel

Value Type: REG_DWORD - Number

Valid Range: 0-5

Preferred: 5

Default: 0

Description: This parameter specifies the type of authentication to be used.

Level 0 - Send LM response and NTLM response; never use NTLMv2 session security

Level 1 - Use NTLMv2 session security if negotiated

Level 2 - Send NTLM authentication only

Level 3 - Send NTLMv2 authentication only

Level 4 - DC refuses LM authentication

Level 5 - DC refuses LM and NTLM authentication (accepts only NTLMv2)

I. NTLMv2 on Windows 9x Systems:

Registry Settings:

Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

Value Name: LMCompatibility

Data Type: REG_DWORD

Valid Range: 0,3

Preferred: 3

Default: 0

Description: This parameter specifies the mode of authentication and session security to be used for network logons. It does not affect interactive logons.

Level 0 - Send LM and NTLM response; never use NTLM 2 session security

Level 3 - Send NTLM 2 response only. Clients will use NTLM 2 authentication and use NTLM 2 session security if the server supports it;

Step 4. Member Server Implementation

After the workstations on your network have been set to NTLMv2 only for a few days (and you’ve worked out any problems), configure the member servers (non-domain controllers). This might include Exchange, IIS, SQL Servers, etc. Again, the best way to implement this is via GPO. Put all of your member servers beneath an OU and create a GPO specifically to control LM Compatibility for them.

Step 5. Domain Controller Implementation

Once member servers are using NTLMv2 only and you’ve had time to work out any issues this caused, you can move your Domain Controllers.

Step 6. Implement No LM Hash Storage for all systems

Once your network is operating without LM you can tell your systems never to store the LM hash for passwords. Once this is done, all users need to change their passwords once to get rid of the existing calculated LM hash. There is no way to prevent LM hash storage on legacy systems (Windows 9x/ME). You could create new GPO’s for this or use the same ones created earlier for LM compatibility. At this point it is safe to implement this domain wide so you either could create a single GPO setting at the domain level or on each OU used to store computer objects.

J. No LM hash storage on Windows XP, 2000 and 2003 Systems:

GPO/Security Policy Settings:

Windows 2003, XP:

Location:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Do not store LAN Manager hash value on next password change

Preferred Setting: Enabled

Windows 2000:

N/A – Not available when using a Windows 2000 client to edit GPO's.

Registry Settings:

Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

Value: NoLMHash

Value Type: REG_DWORD - Number

Valid Range: 0-1

Preferred: 1

Default: 0

Description: This parameter specifies the type of authentication to be used.

Level 0 - Store LM hash for password locally.

Level 1 - Do not store LM hash for passwords locally.

Step 7. Implement Password Complexity Rules

Finally, you can configure password complexity rules for your domain. This must be done at the domain level (where the “Default Domain Policy” resides). As a best practice, you should not modify the “Default Domain Policy”. Instead create a new policy at this level and move it higher that the default policy in precedence to be sure it works properly. These rules can only be implemented domain wide, not on an individual OU (even though it looks like it is possible in the interface). The following settings closely mimic the Campus Security Committee recommendations. Further settings affecting account lockout, password aging and history are also available in the same GPO section.

K. Password Complexity Settings on Windows XP, 2000 and 2003 Systems:

GPO/Security Policy Settings:

Location:

1. Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length

Preferred Setting: 8 characters

2. Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements

Preferred Setting: Enabled

L. Troubleshooting:

After implementing these security settings you will likely run in to problems that may be related. A good example is running Outlook with and Exchange account on a system you just joined to the domain. The default location where new computers are added to the domain is the “Computers” container at the AD root. Unless you use a single GPO to set LM compatibility at the root of the domain, new computer accounts will not be set to use NTLMv2 initially. You will be able to logon to the machine because that uses Kerberos but you probably won’t be able to set up Outlook properly. When you try to open Outlook with an Exchange MAPI profile, you keep getting authentication dialog boxes that do not seem to work. You can not apply a GPO directly to the computers container but there are a few solutions to this problem:

1. Set LM compatibility at the root of the domain (same place as the “Default Domain Policy”). This will apply to computers in the default “computers” container but you may not want or be able to use the same settings for all systems in your domain.

2. Pre-create computer accounts in the correct OU as an administrator then join to the domain. This allows you to put the account in a location to receive the GPO settings immediately.

3. Move the account from the computers container to the correct OU before setting up Outlook. This requires no special settings but you need to remember to periodically move machine accounts to an OU.

4. Change the default location of new computer objects created in the domain. If you have all Windows 2003 DC’s you can change the default location where new computer objects are created. This is described in the following KB article:



If you have a system that just doesn’t seem to authenticate properly, make sure that it is receiving the proper LM compatibility setting. For legacy clients, you need to check the registry setting and be sure the DSClient is installed. For newer systems (W2K, XP, W2K3), you can check this either in the registry or in the “local security settings” console under “Administrative tools”. If the system is not getting the GPO, try to refresh the policy at a command prompt as follows:

Windows 2000:

Secedit.exe /refreshpolicy machine_policy

Windows XP/2003:

Gpupdate.exe

Check the setting again and look in the Application Event Log for errors receiving the policy (source = SceCli). If the system still does not get the GPO setting, double check the GPO structure to make sure the computer account should be getting the setting. The account may be in a location in AD that does not have the setting applied to it or there may be a conflicting GPO with higher precedence. If all else fails, try setting the level manually in the “local security policy” console or the registry.

M. Application Compatibility

The following is a list of applications to watch out for and what is known about their behavior when using NTLMv2 only:

1). Database Servers (SQL Server, Oracle, MySQL, etc): We do not have information on database servers at this time. Make sure that management tools, development tools and client applications can authenticate using whatever mode you have selected (integrated vs. non-integrated authentication, database accounts vs. machine or network accounts, etc.).

2). Web Servers (IIS, Apache, etc): IIS appears to work fine with NTLMv2 but you probably want to make sure that all workstations are set to NTLMv2 before moving the server, particularly if using IE integrated authentication on protected sites. You will probably need to use basic authentication with SSL encryption to allow authentication on password protected sites. Anonymous sites should not be impacted. We have no data on other web servers at this point. The thing to watch for in particular is proper operation of restricted sites.

3). Windows Compatible File Sharing (SAMBA, NAS/SNAP servers etc): As of Version 3.0, SAMBA should be capable of supporting NTLMv2 but we no experience with this yet. We do not have any data on other NAS/SNAP or other file sharing boxes but any existing in your environment should be researched and tested with a client set to NTLMv2 only.

4). Mail Servers and Clients (Exchange, Outlook, IMAP clients, etc.): Exchange 2003 server running on Windows 2003 works properly with NTLMv2 but it must be rolled out in the proper order to work correctly. With the DC’s set to NTLMv2 Only and the Exchange server set to accept all authentication methods, IMAP authentication would not work properly. We had to scale back the DC’s to accept NTLMv2 and NTLM until we were ready to move the Exchange server to NTLMv2 only. As with most scenarios, you need to make sure all client systems using a MAPI client like Outlook are set to send NTLMv2 before moving the server. That includes any systems not in your domain like home systems or machines in other domains. Once all the client machines are using NTLMv2, you can safely set the DC’s and Exchange servers to NTLMv2 Only. While we have not tested Exchange 2000, it is likely to behave similarly. The Outlook versions tested were Office XP and 2003 and older versions should be tested before putting these settings into production. As long as the DC’s and Exchange servers are at a similar level, IMAP clients should work properly with Exchange. We currently have no data on other mail servers. If they use Windows user accounts, then they will likely be impacted by this setting and should definitely be researched and tested.

5). Cisco VPN: ACNS runs a Cisco VPN Concentrator used predominately by campus wireless users and off-campus machines. There are two ways in which authentication can occur – Radius or Windows. The default VPN group set up by ACNS uses Radius authentication with users entering their eID and password and this is not impacted by NTLMv2 settings. A few departments have asked to have a special VPN group configured to authenticate against their Windows domain. The Cisco equipment/OS in use does not support NTLMv2 so Windows domain authentication is not possible at this time with these settings. Keep in mind that home machines must be configured to send NTLMv2 regardless of VPN use.

6). Off Campus and Off Domain Machines: All machines connecting to your domain need to be configured to send NTLMv2 to use shared resources. If they are also sharing resources, they need to be able to accept NTLMv2 as well. These systems can be configured with a registry change or the “Local Security Policy” console (Win2K or up). If the machines are in another domain and LM Compatibility level is set in a GPO, the setting needs to be corrected in the GPO.

APPENDIX A – Windows 2003 Server Baseline Services Settings

|Service Name |Service Application Name |Default Setting |Member Server |Domain Controller |

|Alerter |Alerter |Disabled |Disabled |Disabled |

|Application Layer Gateway Service |ALG |Disabled |Disabled |Disabled |

|Application Management |AppMgmt |Disabled |Disabled |Disabled |

|ASP .NET State Service |aspnet_state |Disabled |Disabled |Disabled |

|Automatic Updates |wuauserv |Automatic |Automatic |Automatic |

|Background Intelligent Transfer |BITS |Manual |Manual |Manual |

|Service | | | | |

|Certificate Services |CertSvc |Disabled |Disabled |Disabled |

|Client Service for NetWare |NWCWorkstation |Disabled |Disabled |Disabled |

|ClipBook |ClipSrv |Disabled |Disabled |Disabled |

|Cluster Service |ClusSvc |Disabled |If Needed |If Needed |

|COM+Event Services |EventSystem |Manual |Manual |Manual |

|COM+ System Application |COMSysApp |Disabled |Disabled |Disabled |

|Computer Browser |Browser |Automatic |Automatic |Automatic |

|Cyrptographic Services |CryptSvc |Automatic |Automatic |Automatic |

|DHCP Client |Dhcp |Automatic |Automatic |Automatic |

|DHCP Server |DHCPServer |Disabled |If Needed |Disabled |

|Distributed File System |Dfs |Disabled |Disabled |Automatic |

|(typically DC’s only) | | | | |

|Distributed Link Tracking Client |TrkWks |Disabled |Disabled |Disabled |

|Distributed Link Tracking Server |TrkSvr |Disabled |Disabled |Disabled |

|Distributed Transaction Coordinator |MSDTC |Disabled |Disabled |Disabled |

|DNS Client |Dnscache |Automatic |Automatic |Automatic |

|DNS Server (ACNS only) |DNS |Disabled |Disabled |Disabled |

|Error Reporting Service |ERSvc |Disabled |Disabled |Disabled |

|Event Log |Eventlog |Automatic |Automatic |Automatic |

|Fax Service |Fax |Disabled |Disabled |Disabled |

|File Replication (typically DC’s only)|NtFrs |Disabled |Disabled |Automatic |

|File Server for Macintosh |MacFile |Disabled |If Needed |If Needed |

|FTP Publishing Service |MSFtpsvc |Disabled |Disabled |Disabled |

|Help and Support |helpsvc |Disabled |Disabled |Disabled |

|HTTP SSL |HTTPFilter |Disabled |Disabled |Disabled |

|Human Interface Device Access |HidServ |Disabled |Disabled |Disabled |

|IAS Jet Database Access |IASJet |Disabled |Disabled |Disabled |

|IIS Admin Service |IISADMIN |Disabled |If Needed |Disabled |

|Service Name |Service Application Name |Default Setting |Member Server |Domain Controller |

|IMAPI CD-Burning COM Service |ImapiService |Disabled |Disabled |Disabled |

|Indexing Service |cisvc |Disabled |Disabled |Disabled |

|Infrared Monitor |Irmon |Disabled |Disabled |Disabled |

|Internet Authentication Service |IAS |Disabled |Disabled |Disabled |

|Internet Confection Firewall |SharedAccess |Disabled |Disabled |Disabled |

|(ICF)/Internet Connection Sharing | | | | |

|(ICS) | | | | |

|Intersite Messaging |IsmServ |Automatic |Automatic |Automatic |

|IP Version 6 Helper Service |6to4 |Disabled |Disabled |Disabled |

|IPSec Policy Agent (IPSec Service) |PolicyAgent |Automatic |Automatic |Automatic |

|Kerberos Key Distribution Center |Kdc |Automatic |Automatic |Automatic |

|License Logging Service |LicenseService |Disabled |Disabled |Disabled |

|Logical Disk Manager |dmserver |Manual |Manual |Manual |

|Logical Disk Manager Administrative |dmadmin |Manual |Manual |Manual |

|Service | | | | |

|Message Queuing |msmq |Disabled |Disabled |Disabled |

|Message Queuing Down Level Clients |mqds |Disabled |Disabled |Disabled |

|Message Queuing Triggers |Mqtgsvc |Disabled |Disabled |Disabled |

|Messenger |Messenger |Disabled |Disabled |Disabled |

|Microsoft POP3 Service |POP3SVC |Disabled |Disabled |Disabled |

|MS Software Shadow Copy Provider |SwPrv |Manual |Manual |Manual |

|MSSQL$UDDI |MSSQL$UDDI |Disabled |Disabled |Disabled |

|MSSQLServerADHelper |MSSQLServerADHelper |Disabled |Disabled |Disabled |

|.NET Framework Support Service |CORRTSvc |Disabled |Disabled |Disabled |

|Netlogon |Netlogon |Automatic |Automatic |Automatic |

|NetMeeting Remote Desktop Sharing |mnmsrvc |Disabled |Disabled |Disabled |

|Network Connections |Netman |Manual |Manual |Manual |

|Network DDE |NetDDE |Disabled |Disabled |Disabled |

|Network DDE DSDM |NetDDEdsdm |Disabled |Disabled |Disabled |

|Network Location Awareness (NLA) |NLA |Manual |Manual |Manual |

|Network News Transfer Protocol (NNTP) |NntpSvc |Disabled |Disabled |Disabled |

|NTLM Security Support Provider |NtLmSsp |Automatic |Automatic |Automatic |

|Performance Logs and Alerts |SysmonLog |Manual |Manual |Manual |

|Service Name |Service Application Name |Default Setting |Member Server |Domain Controller |

|Plug and Play |PlugPlay |Automatic |Automatic |Automatic |

|Portable Media Serial Number |WmdmPmSN |Disabled |Disabled |Disabled |

|Print Server for Macintosh |MacPrint |Disabled |Disabled |Disabled |

|Print Spooler |Spooler |Disabled |If Needed |If Needed |

|Protected Storage |ProtectedStorage |Automatic |Automatic |Automatic |

|Remote Access Auto Connection Manager |RasAuto |Disabled |Disabled |Disabled |

|Remote Access Connection Manager |RasMan |Disabled |Disabled |Disabled |

|Remote Administration Service |SrvcSurg |Manual |Manual |Manual |

|Remote Desktop Help Session Manager |RDSessMgr |Disabled |Disabled |Disabled |

|Remote Installation |BINLSVC |Disabled |Disabled |Disabled |

|Remote Procedure Call (RPC) |RpcSs |Automatic |Automatic |Automatic |

|Remote Procedure Call (RPC) Locator |RpcLocator |Automatic |Automatic |Automatic |

|Remote Registry Service |RemoteRegistry |Automatic |Automatic |Automatic |

|Remote Server Manager |AppMgr |Disabled |Disabled |Disabled |

|Remote Server Monitor |Appmon |Disabled |Disabled |Disabled |

|Remote Storage Notification |Remote_Storage_User_Link |Disabled |Disabled |Disabled |

|Remote Storage Server |Remote_Storage_Server |Disabled |Disabled |Disabled |

|Removable Storage |NtmsSvc |Manual |Manual |Manual |

|Resultant Set of Policy Provider |RSoPProv |Disabled |Disabled |Disabled |

|Routing and Remote Access |RemoteAccess |Disabled |Disabled |Disabled |

|SAP Agent |nwsapagent |Disabled |Disabled |Disabled |

|Secondary Logon |seclogon |Disabled |Disabled |Disabled |

|Security Accounts Manager |SamSs |Automatic |Automatic |Automatic |

|Server |lanmanserver |Automatic |Automatic |Automatic |

|Shell Hardware Detection |ShellHWDetection |Disabled |Disabled |Disabled |

|Simple Mail Transport Protocol (SMTP) |SMTPSVC |Disabled |If Needed |Disabled |

|Simple TCP/IP Services |SimpTcp |Disabled |Disabled |Disabled |

|Single Instance Storage Groveler |Groveler |Disabled |Disabled |Disabled |

|Smart Card |SCardSvr |Disabled |Disabled |Disabled |

|SNMP Service |SNMP |Disabled |Disabled |Disabled |

|SNMP Trap Service |SNMPTRAP |Disabled |Disabled |Disabled |

|Special Administration Console Helper |Sacsvr |Disabled |Disabled |Disabled |

|Service Name |Service Application Name |Default Setting |Member Server |Domain Controller |

|SQLAgent$* (* UDDI or WebDB) |SQLAgent$WEBDB |Not Defined |Not Defined |Not Defined |

|System Event Notification |SENS |Automatic |Automatic |Automatic |

|Task Scheduler |Schedule |Disabled |Disabled |Disabled |

|TCP/IP NetBIOS Helper Service |LMHosts |Automatic |Automatic |Automatic |

|TCP/IP Print Server |LPDSVC |Disabled |Disabled |Disabled |

|Telephony |TapiSrv |Disabled |Disabled |Disabled |

|Telnet |TlntSvr |Disabled |Disabled |Disabled |

|Terminal Services |TermService |Automatic |Automatic |Automatic |

|Terminal Services Licensing |TermServLicensing |Disabled |If Needed |If Needed |

|Terminal Services Session Directory |Tssdis |Disabled |Disabled |Disabled |

|Themes |Themes |Disabled |Disabled |Disabled |

|Trivial FTP Daemon |tftpd |Disabled |Disabled |Disabled |

|Uninterruptible Power Supply |UPS |Disabled |If Needed |If Needed |

|Upload Manager |Uploadmgr |Disabled |Disabled |Disabled |

|Virtual Disk Service |VDS |Disabled |Disabled |Disabled |

|Volume Shadow Copy |VSS |Manual |Manual |Manual |

|WebClient |WebClient |Disabled |Disabled |Disabled |

|Web Element Manager |elementmgr |Disabled |Disabled |Disabled |

|Windows Audio |AudioSrv |Disabled |Disabled |Disabled |

|Windows Image Acquisition (WIA) |StiSvc |Disabled |Disabled |Disabled |

|Windows Installer |MSIServer |Automatic |Automatic |Automatic |

|Windows Internet Name Service (WINS) |WINS |Disabled |Disabled |If Needed |

|Windows Management Instrumentation |winmgmt |Automatic |Automatic |Automatic |

|Windows Management Instrumentation |Wmi |Manual |Manual |Manual |

|Driver Extensions | | | | |

|Windows Media Services |WMServer |Disabled |Disabled |Disabled |

|Windows System Resource Manager |WindowsSystemResourceManager |Disabled |Disabled |Disabled |

|Windows Time |W32Time |Automatic |Automatic |Automatic |

|WinHTTP Web Proxy Auto-Discovery |WinHttpAutoProxySvc |Disabled |Disabled |Disabled |

|Service | | | | |

|Wireless Configuration |WZCSVC |Disabled |Disabled |Disabled |

|WMI Performance Adapter |WmiApSrv |Manual |Manual |Manual |

|Workstation |lanmanworkstation |Automatic |Automatic |Automatic |

|World Wide Web Publishing Service |W3SVC |Disabled |If Needed |Disabled |

APPENDIX B – Resource Links

Securing Windows 2000 Server



Windows 2000 Security Hardening Guide



Windows Server 2003 Security Guide



Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP



Windows Deployment and Resource Kits



Exchange Server 2003 Security Hardening Guide



National Security Agency Operating Systems Security Guides



Port Requirements for the Microsoft Windows Server System



How To Harden the TCP Stack



How To Disable NetBIOS on Windows 2000 Servers in Untrusted Networks



Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments



Additional Security & Hardening-related Registry Settings



................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download